Skip to content

What is two-factor authentication (2FA)?

Two-factor authentication — often shortened to 2FA — means a website asks for two different proofs that you are really you, not just a password.

This page explains it in plain language. No jargon required.

Why passwords alone are not enough

A password is something you know. If someone steals or guesses it, they can pretend to be you.

2FA adds something else — usually something you have (a phone or security key) or something you are (fingerprint).

Simple analogy

A password is like a front door key. 2FA is like that key plus a code only your phone knows. A thief needs both.

The two "factors" in Saxon's setup

Factor Example in this household
Something you know Master password, Authentik password, bank PIN
Something you have YubiKey (security key), phone with authenticator app, SMS code

Saxon uses YubiKeys for the strongest "something you have" on important sites. See Desk YubiKey and Portable YubiKey.

Common types you might see

1. Security key / YubiKey (best for Saxon's critical accounts)

  1. You enter username and password.
  2. A popup says "Insert your security key" or "Touch your YubiKey."
  3. You enter a short PIN on the key (if asked).
  4. You touch the gold circle on the key.
  5. Login completes.

Used for: Vaultwarden, Cloudflare, and similar high-value accounts.

2. Authenticator app (6-digit codes)

  1. You enter username and password.
  2. The site asks for a 6-digit code.
  3. You open an app (Google Authenticator, Authentik, etc.) on a phone.
  4. You type the code before it expires (usually 30 seconds).

The app and the website share a secret set up once — no text message needed.

3. SMS text message

  1. You enter username and password.
  2. The bank texts a code to your phone.
  3. You type the code on the website.

Weaker than a YubiKey (SIM swap scams exist) but common for banks.

Similar to SMS — code or link sent to email. Convenient but not as strong as a hardware key.

What Saxon's docs site uses

Site Second factor?
docs.saxobroko.com (via Authentik) Usually password only after Cloudflare sends you to Authentik
vault.saxobroko.com Yes — YubiKey and/or authenticator
Cloudflare admin Yes — YubiKey
MyState / Vanguard Bank's own rules — often SMS or app

Recovery codes — save these offline

When you turn on 2FA, many sites offer one-time recovery codes — a list of backup codes if you lose your phone or key.

Recovery codes are passwords too

Store them outside SaxDocs — sealed paper, safe, or a Vaultwarden secure note after you are already inside the vault. Never commit them to git or markdown.

If you lose both YubiKeys and have no recovery codes, you can be locked out permanently.

Step-by-step — what to do when a site asks for 2FA

  1. Finish the username and password step first (from Vaultwarden when possible).
  2. Read the prompt carefully — security key, authenticator, or SMS?
  3. Security key: plug desk key or use portable NFC — Desk YubiKey.
  4. Authenticator: open the app on Saxon's phone; type the 6 digits.
  5. SMS: unlock Saxon's phone; read the text; type the code quickly.
  6. If it fails twice, stop and read Login troubleshooting.

FAQ

Is 2FA the same as "MFA"?
Yes — multi-factor authentication (MFA) often means two or more factors. People use 2FA and MFA interchangeably in casual talk.

Do I need 2FA every single time?
Often the browser remembers the device for a while. Banks and the vault may ask again on a new device or after some weeks.

Can family share one YubiKey?
Each person should have their own accounts for personal banking. Saxon's YubiKeys unlock Saxon's accounts — estate handling may require bank deceased processes, not just the key.